This document is intended for technical staffs such as security engineers and those who are responsible in planning, implementing and maintaining the security of the mobile devices.

It covers the type of mobile devices that are applicable such as smart phone and tablets. Basic cell phones and laptops are out of scope as their threat level and security control options are different.

It also talks about the different high-level threats and vulnerabilities related to these devices, as they are generally higher risk exposure that other client devices such as desktop and laptop. These threats are,

Lack of physical security controls

Use of untrusted mobile devices

Use of untrusted networks

Use of applications created by unknown parties

Interaction with other systems

Use of untrusted content

Use of location services

The next section of the document provides an overview of the current state of the MDM (Mobile Device Management) technologies, which mainly comprise of the components, the architectures and the capabilities. For components, it talks about the type of MDM solution between the solution from same vendor of the mobile device and using third party product that can manage one or more types of mobile devices. The architectures deal with the different consideration and the use of other enterprise services based on business requirement. As for the capabilities of the MDM, it should provide the following security services,

General policy that can enforce enterprise security policies on the mobile device.

Data communication and storage that provide strong data encryption during communication and on storage. It should also have the ability to remotely wipe the device.

User and device authentication, which includes account and device lockout and remotely locking of the device.

Application. It should be able to restrict the installing and removal of applications. Prevent access to enterprise resources based on devices OS (Operating System) version and status (rooted or jailbroken).

Lastly, it talks about the security for the life cycle of the enterprise mobile device solution, which covers from policy down to operations. This life cycle consist of 5 main phases.

Phase 1: Initiation. This phase include identifying needs for mobile devices, creating a high-level strategy for implementing mobile device solutions, developing a mobile device security policy, and specifying business and functional requirements for the solution.

Phase 2: Development. In this phase, it covers technical characteristics of the mobile device solution and related components. These include the type of authentication methods, cryptographic mechanisms and the type of mobile device clients to be used.

Phase 3: Implementation. This phase involve equipment configuration to meet operational and security requirements. Ensuring the integration with other security controls such as security event logging and authentication servers.

Phase 4: Operations and Maintenance. This phase will cover security related tasks that should be performed on an on-going basis such as log review and attack detection.

Phase 5: Disposal. This phase will cover the tasks for retiring of components and the mobile device solutions, including preserving of information to meet legal requirements, sanitizing and disposing of equipment properly.

Affiliates

Visitor Information

RSS Feed

The following text will not be seen after you upload your website,
please keep it in order to retain your counter functionality

Disclaimer

The knowledge and tools recommended are for educational purposes. Implementing of the knowledge or tools may violate the laws in certain country. I shall not be liable to any wrong doing or violation of laws by anyone that uses the knowledge or tools that are recommended in this website.